FreeCalypso > hg > freecalypso-reveng

changeset 13:e0ce45f043c0

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
boot ROM re: continuing plowing through the serial protocol code
author Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
date Wed, 24 Apr 2013 22:48:12 +0000
parents 25b016d16602
children 3443b1b08af4
files bootrom.disasm bootrom.notes
diffstat 2 files changed, 52 insertions(+), 12 deletions(-) [+]
line wrap: on
line diff
--- a/bootrom.disasm	Wed Apr 24 19:32:45 2013 +0000
+++ b/bootrom.disasm	Wed Apr 24 22:48:12 2013 +0000
@@ -223,8 +223,9 @@
 ; *R0 return byte values:
 ;   00 = got nothing (timeout) or an invalid/non-understood command
 ;   01 = got 'i'
-;   02 =
-;   03 =
+;   02 = got 'p', 9 additional bytes received, a bunch of vars filled
+;   03 = got 'w', the rest of the command read into the buffer at
+;		  80010C, the flag at 80053C set
 ;   04 = got 'c', 1 additional byte received, extended to a half-word
 ;		  and written to 80052C
 ;   05 = got 'a'
@@ -262,6 +263,7 @@
      334:	e3a0a000 	mov	r10, #0	; 0x0
      338:	e3a06000 	mov	r6, #0	; 0x0
      33c:	ea000015 	b	0x398
+; more blocks
      340:	e5d40008 	ldrb	r0, [r4, #8]
      344:	e5971000 	ldr	r1, [r7]
      348:	e28d2002 	add	r2, sp, #2	; 0x2
@@ -284,6 +286,7 @@
      38c:	0a000001 	beq	0x398
      390:	e3a0c001 	mov	r12, #1	; 0x1
      394:	e5c4c018 	strb	r12, [r4, #24]
+; the entry to the 'w' handling block branches here
      398:	e5d40008 	ldrb	r0, [r4, #8]
      39c:	e5971000 	ldr	r1, [r7]
      3a0:	e1a0200d 	mov	r2, sp
@@ -337,17 +340,17 @@
      460:	e18c8408 	orr	r8, r12, r8, lsl #8
      464:	e2599001 	subs	r9, r9, #1	; 0x1
      468:	1afffff5 	bne	0x444
-     46c:	e59fc9a4 	ldr	r12, [pc, #2468]	; 0xe18
+     46c:	e59fc9a4 	ldr	r12, =0x800750	; via 0xe18
      470:	e158000c 	cmp	r8, r12
      474:	3a00004e 	bcc	0x5b4
-     478:	e59f099c 	ldr	r0, [pc, #2460]	; 0xe1c
+     478:	e59f099c 	ldr	r0, =0x7F8AF	; via 0xe1c
      47c:	e080c00c 	add	r12, r0, r12
      480:	e158000c 	cmp	r8, r12
      484:	8a00004a 	bhi	0x5b4
      488:	e085c006 	add	r12, r5, r6
      48c:	e35c0ffe 	cmp	r12, #1016	; 0x3f8
      490:	aa000037 	bge	0x574
-     494:	e59fc970 	ldr	r12, [pc, #2416]	; 0xe0c
+     494:	e59fc970 	ldr	r12, =0x80010C	; via 0xe0c
      498:	e5dd0000 	ldrb	r0, [sp]
      49c:	e7c6000c 	strb	r0, [r6, r12]
      4a0:	e2860001 	add	r0, r6, #1	; 0x1
@@ -403,6 +406,8 @@
      568:	e2555001 	subs	r5, r5, #1	; 0x1
      56c:	1afffff6 	bne	0x54c
      570:	ea00000a 	b	0x5a0
+; length exceeded: read and discard
+; the increment of R5 looks like a bug!
      574:	e285c001 	add	r12, r5, #1	; 0x1
      578:	e1a0c80c 	mov	r12, r12, lsl #16
      57c:	e1a0582c 	mov	r5, r12, lsr #16
@@ -419,30 +424,34 @@
      5a8:	e3a0c003 	mov	r12, #3	; 0x3
      5ac:	e5cbc000 	strb	r12, [r11]
      5b0:	ea00005b 	b	0x724
+; error path (<w load address outside of the permissible IRAM range)
      5b4:	e3a0c001 	mov	r12, #1	; 0x1
      5b8:	e5c4c018 	strb	r12, [r4, #24]
      5bc:	e3a0c003 	mov	r12, #3	; 0x3
      5c0:	e5cbc000 	strb	r12, [r11]
      5c4:	e5d40008 	ldrb	r0, [r4, #8]
-     5c8:	e59f1850 	ldr	r1, [pc, #2128]	; 0xe20
+     5c8:	e59f1850 	ldr	r1, =0xFFFFF	; via 0xe20
      5cc:	e28d2002 	add	r2, sp, #2	; 0x2
      5d0:	eb000394 	bl	0x1428
      5d4:	e3500001 	cmp	r0, #1	; 0x1
      5d8:	0afffff9 	beq	0x5c4
      5dc:	ea000050 	b	0x724
+; another error path (bad block number voodoo)
      5e0:	e3a0c001 	mov	r12, #1	; 0x1
      5e4:	e5c4c018 	strb	r12, [r4, #24]
      5e8:	e3a0c003 	mov	r12, #3	; 0x3
      5ec:	e5cbc000 	strb	r12, [r11]
+; flush serial input (wait for long silence), then return
      5f0:	e5d40008 	ldrb	r0, [r4, #8]
-     5f4:	e59f1824 	ldr	r1, [pc, #2084]	; 0xe20
+     5f4:	e59f1824 	ldr	r1, =0xFFFFF	; via 0xe20
      5f8:	e28d2002 	add	r2, sp, #2	; 0x2
      5fc:	eb000389 	bl	0x1428
      600:	e3500001 	cmp	r0, #1	; 0x1
      604:	0afffff9 	beq	0x5f0
      608:	ea000045 	b	0x724
 ; got 'p'
-     60c:	e59f67f8 	ldr	r6, [pc, #2040]	; 0xe0c
+; R4=0x800518
+     60c:	e59f67f8 	ldr	r6, =0x80010C	; via 0xe0c
      610:	e3a08009 	mov	r8, #9	; 0x9
      614:	e5d40008 	ldrb	r0, [r4, #8]
      618:	e5971000 	ldr	r1, [r7]
@@ -453,12 +462,12 @@
      62c:	e2866001 	add	r6, r6, #1	; 0x1
      630:	e2588001 	subs	r8, r8, #1	; 0x1
      634:	1afffff6 	bne	0x614
-     638:	e59fc7cc 	ldr	r12, [pc, #1996]	; 0xe0c
+     638:	e59fc7cc 	ldr	r12, =0x80010C	; via 0xe0c
      63c:	e5dc0000 	ldrb	r0, [r12]
-     640:	e5c40000 	strb	r0, [r4]
+     640:	e5c40000 	strb	r0, [r4]	; into 800518
      644:	e5dc0001 	ldrb	r0, [r12, #1]
-     648:	e5c40009 	strb	r0, [r4, #9]
-     64c:	e1c450ba 	strh	r5, [r4, #10]
+     648:	e5c40009 	strb	r0, [r4, #9]	; into 800521
+     64c:	e1c450ba 	strh	r5, [r4, #10]	; 16-bit 0 into 800522
      650:	e5dc1003 	ldrb	r1, [r12, #3]
      654:	e5dc0002 	ldrb	r0, [r12, #2]
      658:	e1810400 	orr	r0, r1, r0, lsl #8
@@ -621,6 +630,9 @@
      8ac:	e3a00000 	mov	r0, #0	; 0x0
      8b0:	e8bd83f0 	ldmia	sp!, {r4, r5, r6, r7, r8, r9, pc}
 
+; The routine at 0x8b4 handles the command received by the 0x2c8 routine.
+; The argument in R0 is the code produced by the latter.
+
      8b4:	e92d4070 	stmdb	sp!, {r4, r5, r6, lr}
      8b8:	e24dd008 	sub	sp, sp, #8	; 0x8
      8bc:	e59f4560 	ldr	r4, [pc, #1376]	; 0xe24
--- a/bootrom.notes	Wed Apr 24 19:32:45 2013 +0000
+++ b/bootrom.notes	Wed Apr 24 22:48:12 2013 +0000
@@ -54,8 +54,25 @@
 
 <p
 
+Followed by 9 bytes:
+	1 byte: goes into var at 800518
+	1 byte: goes into var at 800521
+	2 bytes: 16-bit MSB-first value goes into var at 800522
+	1 byte: goes into var at 800525
+	4 bytes: 32-bit MSG-first value goes into var at 80051C
+
 <w
 
+Followed by:
+	1 byte: block number (of this block)
+	1 byte: total # of blocks
+	2 bytes: # of payload bytes in this block (MSB first)
+	4 bytes: load address for this block (MSB first)
+	data
+
+for a single block (both bytes after <w set to 01), the maximum allowed
+payload length is 1015 (0x3F7) bytes.
+
 RAM layout:
 
 800000 7 words:
@@ -71,11 +88,19 @@
 800104: word initialized to 0x0001D4C0 - tells the 0x2c8 routine
 	how long to wait for a character
 800108: byte initialized to 0x01
+80010C: all bytes of a '<w' command after these two command chars
+	are stored starting here
+80050B: the above buffer ends here
 
+800518:	byte variable receives the first parameter byte after '<p'
+80051C: 32-bit var set by the '<p' command
 800520: byte variable filled every time the 0xfb4 routine is called
 	holds the ID of the UART on which '<' came in, or FF if none
+800521:	byte variable receives the 2nd parameter byte after '<p'
+800522:	16-bit var set by the '<p' command
 800524: byte variable filled every time the 0xfb4 routine is called
 	filled with a copy of 800534
+800525:	byte var set by the '<p' command
 
 80052C: byte following the '<c' command is extended to a half-word and
 	written here
@@ -83,6 +108,9 @@
 800534: byte initialized to 0x00, then may be set to 1 by the 0xfb4
 	routine if it selects /1 clock mode.
 800538: word holds the argument of the '<b' command
+80053C: byte indicates validity of the received '<w' command:
+	0 means valid, 1 means something bad
 
 8005C0: appears to be the intended low address (bottom) of the stack
 80074C: top of the stack (initial value loaded into SP)
+800750: lowest address at which user code may be loaded